Added Access Control for Network Interface (#683)

* Code move

* Code move

* Use RoutingContext type

* Structs split

* Renaming

* Visibility

* Move ingress/egress filters out of pubsub

* Make hat abstract

* Abstract missing close_face fn

* Duplicate hat

* Move Primitives

* Move link_id into HatFace

* Change face initialization

* Interceptors

* Interceptor types renaming

* Rename RoutingContext

* Add RoutingContext and LoggerInterceptor

* Interceptors can access the Config at construction

* Split linkstate and p2p peer hats

* Simplify HatTrait init function

* Hats cleanup

* Reintroduce routes precomputation

* Improve routes precomputation

* Reintroduce matching pulls precomputation

* Perf improvements

* Perf improvements

* Remove files wrongly reintroduced by merge

* Fix complete_n build

* Remove useless checks

* Fix OAM handling

* Remove commented code

* Simplified routes computation hats api

* Move matching pulls computation out of hats

* Fix query routes update

* Fix copy-paste error

* Renaming

* Add missing query routes deactivations

* Refactor code

* Improve perfromances

* WIP: added pep pdp points

* WIP:added interceptor code and PEP logic

* WIP:added datastructures for policy and PDP logic

* WIP:first basic acl prototype

* WIP:first acl prototype

* WIP:first acl prototype

* WIP:ACL phase 1

* WIP:ACL phase 1

* WIP:Modified ACL for attributes

* WIP:Modified ACL for attributes

* WIP:Cleaned code

* WIP:merging code

* WIP:adding config conditions

* WIP:merging with DS

* WIP:moved rules into config file

* WIP:moved rules into config file

* WIP:merging changes

* Revert "WIP:merging changes"

This reverts commit 50c9f0e.

* WIP:merging new changes

* WIP:merging new changes

* WIP:ACL with networkinterface

* WIP:ACL with networkinterface

* WIP:ACL with networkinterface

* WIP:ACL with networkinterface

* WIP:Added multi-interface funcionality

* WIP: Improved code design for ACL

* WIP: Modified for new config style

* WIP: Modified for new config style

* WIP: Added changes for default behaviour

* WIP: Added changes for default behaviour

* WIP: Added changes for default behaviour

* WIP: Cleaning code

* WIP: Config changes after discussion

* WIP: Config changes after discussion

* WIP: Adding Queryable

* WIP: Adding key-expr caching

* Cleaning config file

* made review changes

* made review changes

* adding review changes for logs and removing bool values

* adding review changes

* adding actions for both ingress and egress

* adding ingress and egress flow

* cleaning code

* adding tests

* cleaning policy code

* acl tests for queryable

* replaced nested Vec with structs

* fixed queryable test issue

* fixed cache downcast error

* fixed interface issue in tests

* move acl config out of transport

* move acl config out of transport

* clean tests code

* clean tests code

* clean config file

* clean config file

* clean code

* resolve conflicts

* resolve conflicts issues

* refactor code

* refactor code

* refactor code

* refactor code for review changes

* refactor code for review changes

* fix acl tests issue

* fix acl tests issue

* fix acl tests issue

* fix acl tests issue

* fix acl tests issue

* resolve merge conflicts

* Update DEFAULT_CONFIG.json5

Co-authored-by: Alexander <[email protected]>

* change acl to access_control for clarity

* fix: Remove sync-lockfiles workflow (#925)

* modify actions values in config file

* remove [ACCESS LOG] string from the logs

* Remove [ACCESS LOG] from logging

* rework access control logging

* Add ingress/egress logs

* add interface name in access logs

* Fix log level

* Add missing header

* Add missing header files

---------

Co-authored-by: OlivierHecart <[email protected]>
Co-authored-by: Alexander <[email protected]>
Co-authored-by: Mahmoud Mazouz <[email protected]>
Co-authored-by: Luca Cominardi <[email protected]>

Author: 5 people

Cargo.lock

@@ -219,4 +219,4 @@ debug = false     # If you want debug symbol in release mode, set the env variab
 lto = "fat"
 codegen-units = 1
 opt-level = 3
-panic = "abort"
+panic = "abort"

Cargo.toml

@@ -175,7 +175,30 @@
   //      ],
   //    },
   //  ],
-
+  //  /// configure access control (ACL) rules 
+  //  access_control: {
+  //   ///[true/false] acl will be activated only if this is set to true
+  //   "enabled": false,
+  //   ///[deny/allow] default permission is deny (even if this is left empty or not specified)
+  //   "default_permission": "deny",
+  //   ///rule set for permissions allowing or denying access to key-expressions
+  //   "rules": 
+  //   [
+  //     {
+  //       "actions": [
+  //         "put", "get", "declare_subscriber", "declare_queryable"
+  //       ],
+  //       "flows":["egress","ingress"],
+  //       "permission": "allow",
+  //       "key_exprs": [
+  //         "test/demo"
+  //       ],
+  //       "interfaces": [
+  //         "lo0"
+  //       ]
+  //     },
+  //  ]
+  //},
   /// Configure internal transport parameters
   transport: {
     unicast: {
@@ -318,7 +341,6 @@
     shared_memory: {
       enabled: false,
     },
-    /// Access control configuration
     auth: {
       /// The configuration of authentification.
       /// A password implies a username is required.

DEFAULT_CONFIG.json5

@@ -221,6 +221,16 @@ impl Default for SharedMemoryConf {
     }
 }
 
+impl Default for AclConfig {
+    fn default() -> Self {
+        Self {
+            enabled: false,
+            default_permission: Permission::Deny,
+            rules: None,
+        }
+    }
+}
+
 pub const DEFAULT_CONNECT_TIMEOUT_MS: ModeDependentValue<i64> =
     ModeDependentValue::Dependent(ModeValues {
         client: Some(0),

commons/zenoh-config/src/defaults.rs

@@ -73,9 +73,9 @@ impl Zeroize for SecretString {
 
 pub type SecretValue = Secret<SecretString>;
 
-#[derive(Debug, Deserialize, Serialize, Clone)]
+#[derive(Debug, Deserialize, Serialize, Clone, Copy)]
 #[serde(rename_all = "lowercase")]
-pub enum DownsamplingFlow {
+pub enum InterceptorFlow {
     Egress,
     Ingress,
 }
@@ -97,7 +97,48 @@ pub struct DownsamplingItemConf {
     /// A list of interfaces to which the downsampling will be applied.
     pub rules: Vec<DownsamplingRuleConf>,
     /// Downsampling flow direction: egress, ingress
-    pub flow: DownsamplingFlow,
+    pub flow: InterceptorFlow,
+}
+
+#[derive(Serialize, Debug, Deserialize, Clone)]
+pub struct AclConfigRules {
+    pub interfaces: Vec<String>,
+    pub key_exprs: Vec<String>,
+    pub actions: Vec<Action>,
+    pub flows: Vec<InterceptorFlow>,
+    pub permission: Permission,
+}
+
+#[derive(Clone, Serialize, Debug, Deserialize)]
+pub struct PolicyRule {
+    pub subject: Subject,
+    pub key_expr: String,
+    pub action: Action,
+    pub permission: Permission,
+    pub flow: InterceptorFlow,
+}
+
+#[derive(Serialize, Debug, Deserialize, Eq, PartialEq, Hash, Clone)]
+#[serde(untagged)]
+#[serde(rename_all = "snake_case")]
+pub enum Subject {
+    Interface(String),
+}
+
+#[derive(Clone, Copy, Debug, Serialize, Deserialize, Eq, Hash, PartialEq)]
+#[serde(rename_all = "snake_case")]
+pub enum Action {
+    Put,
+    DeclareSubscriber,
+    Get,
+    DeclareQueryable,
+}
+
+#[derive(Clone, Copy, Debug, Serialize, Deserialize, Eq, Hash, PartialEq)]
+#[serde(rename_all = "lowercase")]
+pub enum Permission {
+    Allow,
+    Deny,
 }
 
 pub trait ConfigValidator: Send + Sync {
@@ -431,6 +472,7 @@ validated_struct::validator! {
                     known_keys_file: Option<String>,
                 },
             },
+
         },
         /// Configuration of the admin space.
         pub adminspace: #[derive(Default)]
@@ -456,6 +498,13 @@ validated_struct::validator! {
         /// Configuration of the downsampling.
         downsampling: Vec<DownsamplingItemConf>,
 
+        ///Configuration of the access control (ACL)
+        pub access_control: AclConfig {
+            pub enabled: bool,
+            pub default_permission: Permission,
+            pub rules: Option<Vec<AclConfigRules>>
+        },
+
         /// A list of directories where plugins may be searched for if no `__path__` was specified for them.
         /// The executable's current directory will be added to the search paths.
         plugins_search_dirs: Vec<String>, // TODO (low-prio): Switch this String to a PathBuf? (applies to other paths in the config as well)

commons/zenoh-config/src/lib.rs

@@ -48,7 +48,7 @@ transport_tls = ["zenoh-transport/transport_tls"]
 transport_udp = ["zenoh-transport/transport_udp"]
 transport_unixsock-stream = ["zenoh-transport/transport_unixsock-stream"]
 transport_ws = ["zenoh-transport/transport_ws"]
-transport_vsock= ["zenoh-transport/transport_vsock"]
+transport_vsock = ["zenoh-transport/transport_vsock"]
 unstable = []
 default = [
     "auth_pubkey",
@@ -66,6 +66,7 @@ default = [
 [dependencies]
 tokio = { workspace = true, features = ["rt", "macros", "time"] }
 tokio-util = { workspace = true }
+ahash = { workspace = true }
 async-trait = { workspace = true }
 base64 = { workspace = true }
 const_format = { workspace = true }